Serialization is when an object in a programming language (such as PHP) is converted into a format that can be stored or transferred (much like a zip file). Whereas deserialization refers to the opposite: it’s the unpackaging of an object and conversion back into an object.
In PHP, the function to deserialize is "unserialize()". When you (or an attacker) controls a serialized object that is passed into unserialize(), you control the properties of the created object. You might also be able to hijack the flow of the application by controlling the values passed into automatically executed methods like __wakeup() or __destruct().
This is called a PHP object injection. PHP object injection can lead to variable manipulation, code execution, SQL injection, path traversal, or DoS.